3 Answers
3

Set up a 2nd server (such as a virtual machine, or a 2nd daemon on the same host). Use a rewrite rule to reverse proxy requests for something optional to the 2nd server, like an invisible image hidden on the page. Configure the 2nd server to only allow TLS 1.2; don't hotlink to another hostname... make sure to proxy, or it won't be secure so maybe the browser will have a warning, or maybe just never load the image.

Then track the requests for the image. Clients without support should have SSL/TLS errors. Clients with support would generate some '200 OK' logs. If the log doesn't say anything useful, try proxying to some javascript instead, which can do an AJAX request to log the traffic when successful (but a script blocker may stop this).

For testing your 2nd server's ssl/tls support before you rely on logs to make sense, use a good test like nmap which can list lots of details.

One possibility would be to use a reverse proxy (Squid, Apache, etc.) which can log the SSL/TLS handshake version. Alternatively, if you have a very limited (speaking of single-digit) number of webservice hosts, you could use Wireshark directly on the server to analyze the handshakes.

I'm not aware of any way of checking server logs to see what SSL/TLS protocol was used for the connection for Windows server (its easy enough with Nginx and Apache).

So the best way I can think of doing this is if you use any analytics software (e.g. Google Analytics) which track OS and browser versions. This won't be 100% accurate (some people turn off JavaScript and/or tracking in their browsers).

You can also use the ssllabs scanning tool (https://www.ssllabs.com/ssltest/) which will scan you site to test your SSL/TLS setup - including a telling you which version of TLS and which cipher a list of reference browsers will use. Highly recommend doing this scan anyway to see the state of your SSL/TLS config.

You will be mostly concerned with older versions of IE and older versions of android.

You could also do some browser detection on your website to add a warning to these users for a month or so before you switch off TLS 1.0 and 1.1. It's very easy to have a "[if lt IE 11]" statement to include a CSS style sheet which shows a warning for older IE version However IE10 no longer supports this syntax in standards mode and it is an affected browser. Also doing this for older Android browsers is not as easy.